Copy Link
Add to Bookmark
Report

Net-Sec Issue 042

eZine's profile picture
Published in 
Net Sec newsletter
 · 5 years ago

  

HNS Newsletter
Issue 42 - 18.12.2000
http://net-security.org

This is a newsletter delivered to you by Help Net Security. It covers weekly
roundups of security events that were in the news the past week. Visit Help
Net Security for the latest security news - http://www.net-security.org.

Subscribe to this weekly digest on:
http://www.net-security.org/text/newsletter

Table of contents:

1) General security news
2) Security issues
3) Security world
4) Featured books
5) Security software
6) Defaced archives


=================================================

Help Net Security news:
As you have noticed, our dedicated reporting of news, vulnerabilities
and press releases is following its usual timing. The Download section
is growing rapidly, as around 20+ programs are added each month.
The Newsletter subscribers list has reached a number of 1500+ and
growing.

Our Bookstore has been updated with new books and now has over
320 featured books. Some of the new additions include: "IP Quality
of Service (Cisco Networking Fundamentals)", "PKI: A Wiley Tech
Brief", "Secure Electronic Commerce: Building the Infrastructure for
Digital Signatures and Encryption" and "Rethinking Public Key
Infrastructures and Digital Certificates: Building in Privacy".
(http://www.net-security.org/various/bookstore)

The Viruses section has also been updated with new definitions and
in case you were wondering about the size of the section, it's over
460 files. New screenshots as well as more definitions coming soon.
(http://www.net-security.org/text/viruses)

Also if you or your company would like to advertise on Help Net
Security, and with it support our work and web site, please note that
advertising fees are as low as they can be. CPM for advertising on
the web site is $22 and your advertisement in the HNS newsletter
would cost $35. For more information on demographics of the site
or any additional information, please use the following e-mail:
(advertise@net-security.org)

=================================================



General security news
---------------------

----------------------------------------------------------------------------

OVERSEAS OFFICES FALL PREY TO CRACKERS
Security experts have warned that overseas offices are being targeted by
cybercriminals looking for weak links in IT security policies. Crackers are
increasingly attacking US or European companies by defacing the websites
of their satellite offices. Experts warn that this pattern may be repeated in
industrial espionage aimed at compromising general network security.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.vnunet.com/News/1115279


MATT MICHIE'S SECURITY OUTLOOK: PART I
This series of articles will guide a fledgling Linux system admin through entry
level computer security routines. It will consist of basic tutorials on subjects
such as where to find Linux security information, what services are vulnerable
or have been vulnerable in the past, encryption, firewalls, network intrusion
detection systems, and more.
Link: http://linux.com/sysadmin/newsitem.phtml?sid=1&aid=11359


STUDIES AND SURVEYS OF COMPUTER CRIME
This article reviews the principles for critical reading of research results
published in the popular and technical press and reviews highlights of
interview and survey studies of computer crimes and computer criminals.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://securityportal.com/cover/coverstory20001211.html


JUDGE BLOCKS WHOIS SPAM
A federal judge dealt a significant victory to domain name registrar Register.com
in a lawsuit against Web hosting firm Verio Inc. over unauthorized use of data
about its customers. In issuing the preliminary injunction, Judge Barbara Jones
determined that Register.com had a significant likelihood of prevailing on its
claims that Verio violated usage policies, made unauthorized references to
Register.com in marketing messages, and improperly used robotic search
devices to obtain information on company servers.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.wired.com/news/business/0,1367,40609,00.html


RECORD COMPANY PREPARES TO SELL COPY-PROTECTED CDS
Fahrenheit Entertainment said it will begin selling copy-protected CDs by early
next year using encryption technology from SunnComm. If successfully employed,
SunnComm's technology could become the first to hamper the copying of CDs
onto the Internet - a practice described as one of the music industry's greatest
obstacles in its war against piracy. SunnComm said that the technology will also
prevent people from copying, or "burning," albums onto other CDs but would not
block them from recording songs onto cassette tapes.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.cnet.com/news/0-1005-200-4099854.html


ACTOR, HACKER AND WHAT MORE...
A 21-year-old actor is charged with computer fraud and theft for allegedly
hacking into a Hollywood talent agency's Web site, stealing private audition
listings and reselling them on the Internet.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.apbonline.com/newscenter/breakingnews/2000/12/11/acthack1211_01.html


LILO SECURITY TIPS
LILO Security is one topic that some Linux Security Expert's have a shady
background with. Here is a short article that discusses several techniques to
minimize the risk of passing LILO arguments at boot time and booting the
system in single user mode to get the root shell.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.linux4biz.net/articles/articlelilo.htm


INSTALLING A SECURE WEB SERVER
With "e-commerce" becoming an important part of many businesses, it's useful
to know how to set up your server to run SSL for secure transfer of sensitive
information. SSL, which stands for Secure Socket Layers, is a protocol by which
a client and server can communicate with one another securely, using encrypted
messages. Anyone intercepting the message will receive only garbage, since the
messages are encoded with the public keys of the conversants, but must be
decrypted with their private keys, which are not distributed.
Link: http://apachetoday.com/news_story.php3?ltsn=2000-12-11-001-06-OS-LF-AD


A MESSAGE CARVED IN SPAM
"I found a site that combines the subject that I hate to love (encryption)
with the product I love to hate (spam) to create the first-ever spam-based
encryption engine. Gloriously simple and wonderfully ironic, Spam Mimic lets
you send an e-mail message secretly encoded in spam."
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.com/zdnn/stories/comment/0,5859,2663573,00.html


RULE SET BASED ACCESS CONTROL FOR LINUX VERSION 1.1.0
RSBAC is an open source security extension for current Linux kernels. It is
based on the Generalized Framework for Access Control (GFAC) by Abrams
and LaPadula and provides a flexible system of access control based on
several modules. All security relevant system calls are extended by security
enforcement code. This code calls the central decision component, which in
turn calls all active decision modules and generates a combined decision. This
decision is then enforced by the system call extensions.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://linuxsecurity.com/articles/server_security_article-2095.html


STILL LOSING AGAINST AN UNSEEN ENEMY
Although Christmas festivities are fast approaching, before network managers
relax too much it would be wise to apply the latest Bind patches to DNS servers
and lock down CGI access on your web servers. A warning from Internet Security
Systems X-Force, states that hundreds of computers are already infected with
'zombie' agents. These can be used by hackers to commandeer the machines
and cripple servers by flooding sites with a huge number of spurious requests,
in a repeat of February's massive attack on ebusinesses.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.vnunet.com/Features/1115278


INTERVIEW WITH THEO DE RAADT
"The auditing process developed out of a desire to improve the quality of our
operating system. Once we started on it, it becames fascinating, fun, and very
nearly fanatical. About ten people worked together on it, basically teaching
ourselves as things went along. We searched for basic source-code programmer
mistakes and sloppiness, rather than "holes" or "bugs"."
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://slashdot.org/interviews/00/12/11/1455210.shtml


AUTHOR OF 'PROLIN' WORM ELUDES AUTHORITIES
The creator of a computer worm that spreads through Microsoft Outlook e-mail
in the guise of an Internet movie has so far eluded computer security authorities.
But anti-virus experts said the attachment hasn't caused major problems for
corporate computer networks.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.cnn.com/2000/TECH/computing/12/12/worm.alert/index.html


CACHE ATTACK COULD REVEAL PEOPLE'S ONLINE TRACKS
A technique that exploits the way Web browsers store recently viewed data
could compromise Internet users' privacy by allowing an attacker to check
what sites a person has visited recently. The exploit - called a "timing attack"
- allows an unethical Web site to play 20 questions (or more) with a person's
browser and check whether the surfer has recently viewed any sites from a
predetermined list. Because Java and JavaScript are not necessary, and
switching off caching leads to unacceptable performance degradation,
there seems to be little hope that effective countermeasures will be
developed and deployed any time soon.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.cnet.com/news/0-1005-201-4110753-0.html


BACK DOORS, BACK CHANNELS AND HTTP(S)
As a network or system administrator, you usually desire the ability to limit what
goes into and comes out of your network. People achieve this through a variety
of methods, the most common by far being firewalls. However, most firewalls
and networks in general do have one service they will allow no matter what -
the ability for users to surf the Web. HTTP is a very simple (compared to, say,
FTP) and well understood protocol, and almost every workstation on any given
network is allowed to send out HTTP requests, and usually servers are as well.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://securityportal.com/closet/closet20001213.html


CREDITCARD.COM HACKED, DATA EXPOSED
Creditcard.com was hit by an attacker who posted confidential credit card data
on the Internet. Newsbytes obtained information that led to a site containing
what appears to be credit card data, including account numbers, expiration
dates, names, zip codes, and, in some cases, full addresses. The FBI said it is
investigating the security breach, an agent said today. "Right now, we're
characterizing it as a hacking," Los Angeles FBI spokesman Matthew McLaughlin
told Newsbytes. He would not say whether any suspects were being questioned
or give details about what data was exposed.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.newsbytes.com/news/00/159307.html


ICANN WEB SITE DEFACED
The Internet Corporation for Assigned Names and Numbers (ICANN) got its web
site defaced today. Visually, the site just receieved a new title - "ICANN | We
Were 0wned By Mista_DNS | pH34R".
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.attrition.org/mirror/attrition/2000/12/13/www.icann.org/


A GOOD YEAR FOR THE BAD GUYS
One year ago, computer hacking still seemed a novelty to most Americans. So
what if the White House Web site could be defaced? But this year, computer
criminals crept into everyday life. Now we know they have the power to shut
down the world’s biggest Web sites. And we learned they can sneak inside
Microsoft’s computer system, raid credit card databases, and of course, write
viruses which bring the entire personal computing world to its knees. Now what?
Link: http://www.msnbc.com/news/493727.asp?cp1=1


LINUX INTERNET KIOSKS
Recently, the Federal Government of Costa Rica approved a plan to install
publicly-accessible terminals in post offices throughout the country that will
allow all citizens to use email and access the Internet. While the benefits of
such a plan are many and valuable, such a plan is not without concerns. In
addition to costs of overhead, maintenance and operations, the security of
information transmitted along public terminals would be a major consideration.
In this article by Anton Chuvakin, we will discuss creating a viable system of
Internet kiosks using RedHat Linux. This will include discussion of how to
implement such a system, and will also touch upon some of the various
aspects of security that one should consider when implementing such
a system.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/focus/linux/articles/linkiosk.html


THE YEAR IS 2020 AND...
A government think tank, Foresight, has produced a report on the future of
crime in a world that has gone online. The world of the criminal will be radically
changed by new technology. Rather than nicking your car stereo, the thief of
2020 will be after your whole digital persona. Electronic theft and fraud will
happen faster, reducing the chances of catching a person red-handed. But
there will be trade-offs. Physical property will be easier to protect when it
can all be tagged, for example, and much more identifying evidence will be
able to be gathered from the scene of a crime.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/6/15451.html


INTERVIEW WITH BSDI ON PROACTIVE BSD/OS SECURITY
"BSD/OS is often considered a "secure" operating system. I often see ISPs and
website hosting companies prominently brag that their servers are secure
because they run BSDi's operating system. BSDi itself often promotes itself by
saying it continues the BSD tradition of "extremely secure" systems. And for
the past couple years as a BSD/OS administrator (running a variety of versions),
I have found BSD/OS to be quite secure."
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.bsdtoday.com/2000/December/Features362.html


MAN ARRESTED IN TOKYO
Metropolitan Police Department's anti-high-technology crime center said
Tuesday it has arrested a man on suspicion of illegally accessing and
deleting data from a Web site.
Link: http://home.kyodo.co.jp/fullstory/display.jsp?newsnb=20001212076


INDIAN TV STATION WEB SITE DEFACED
The website of Indian TV station - ZeeTv.com has been defaced by Pakistani
hacker who has flooded it with anti-India slogans. According to the messages
left on the page, this is an act of revenge to the television network's
programme "An Inside Story".
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.hindustantimes.com/nonfram/141200/detexc02.asp


OS IDENTIFICATION
When hackers plan to break into Websites, they first try to find out which
operating system the site is using. Once they determines that and which
services are running, their chances of successfully attacking a system are
greatly increased. What can you do to stop them? In this month's Building
Blocks of Security, Sandra Henry-Stocker introduces active and passive
stack fingerprinting, two ways that hackers profile your systems.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.idg.net/ic_310990_2058_1-1474.html


POWER PLAY: ELECTRIC COMPANY HACKED
The intruders gained access to the power company's servers by exploiting a
vulnerability in the company's file storage service, said NIPC, which would not
name the power company. The federal agency, in conjunction with the FBI and
the Department of Justice, investigates such attacks on the United States
information and communications systems.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.com/zdnn/stories/news/0,4586,2665199,00.html


THE STORY OF JEFF: PART IV
This story is the ongoing saga of Jeff, a tragic tale full of hardship, heartbreak
and triumph over impossible odds. Jeff is your average network administrator,
responsible for Acme, Inc.'s Microsoft-based corporate network. What's in the
cards for a network administrator trying to document what is installed on the
network, and to deploy a software management system? Well, in Jeff's case
nothing but bad luck, of course.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://securityportal.com/articles/jeff20001215.html


SECURING LINUX: PART 2
This second article in the series takes you through TCP wrappers, OpenSSH,
disabling unnecessary services and better monitoring of system activity by
using unique log files to monitor specific information.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.freeos.com/articles/2896/


THUS VIRUS VARIANT IS NOT VERY SCARY
New variants on an old macro virus showed up this week. First spotted in
September last year, the Thus virus tries to erase all the data on an infected
hard drive. Graham Cluley, senior technology consultant at Sophos, said: "We
didn't get any calls. This really isn't an issue if you are running anti virus
software - just about everything should catch it."
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/4/15516.html


SYSTEM ADMINISTRATORS SALARY SURVEY
If you're a Unix system administrator and male, the chances are good that you
earn almost $10,000 per year more than your Windows counterparts, according
to a new survey released this week by the System Administration Networking
and Security Institute.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO55309,00.html


E-MAIL SECURITY USING MUTT AND GPG
E-mail is the most widely used means of communication on the net. Convenient?
Yes! Safe? No! Encryption is what you need to keep your communications
private. This article shows you how you can use the mail client Mutt and
the open source replacement of PGP-GnuPG, to secure your e-mail.
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.freeos.com/articles/2927/


THE END OF SSL AND SSH?
"Yesterday, dsniff 2.3 was released. Why is this important, you ask? dsniff 2.3
allows you to exploit several fundamental flaws in two extremely popular
encryption protocols, SSL and SSH. SSL and SSH are used to protect a large
amount of network traffic, from financial transactions with online banks and
stock trading sites to network administrator access to secured hosts holding
extremely sensitive data. Both SSH and SSL use "public key encryption,"
wherein their vulnerabilities lie. They also rely heavily on the user to make the
right decisions when faced with an attack, and most users are not educated
enough to know what exactly they are dealing with. Users often make the
wrong decision — how many times have we told users not to open up
executables emailed to them?"
Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://securityportal.com/cover/coverstory20001218.html

----------------------------------------------------------------------------




Security issues
---------------

All vulnerabilities are located at:
http://net-security.org/text/bugs


----------------------------------------------------------------------------

FOOLPROOF SECURITY VULNERABILITY
A vulnerability exsists in FoolProof Security, in that it restricts certain programs
to be executed only by name. By renaming a restricted program, it can be
successfuly executed. This vulnerability can be used to sucessfully
circumvent the security measures put forth by FoolProof, and even
remove it entirely from the system.
Link: http://www.net-security.org/text/bugs/976546011,15554,.shtml


COLDFUSION DENIAL OF SERVICE
The vulnerability can crash the ColdFusion server and in some cases the
system it is installed on. The problem will potentially cause the denial of
web-based services on the server.
Link: http://www.net-security.org/text/bugs/976546046,49752,.shtml


DOS VULNERABILITY IN RP-PPPOE
There is a denial-of-service vulnerability in rp-pppoe versions up to 2.4.
rp-pppoe is a user-space PPPoE client for a bunch of UNIXes and Linux,
used by many residential ADSL customers. If you use the "Clamp MSS"
option and someone crafts a TCP packet with an (illegal) "zero-length"
option, rp-pppoe will fall into an endless loop. Eventually, the PPP daemon
should time out and kill the connection. Solution: Upgrade to rp-pppoe 2.5
at http://www.roaringpenguin.com/pppoe/. If you cannot upgrade quickly,
do not use the "Clamp MSS" option until you can upgrade.
Link: http://www.net-security.org/text/bugs/976579297,44223,.shtml


MOD_SQLPW PASSWORD CACHING BUG
The mod_sqlpw module for ProFTPD caches the user id and password information
returned from the mysql database when attempting to verify a password. When
the "user" command is used to switch to another account, the cached password
is not cleard, and the password entered is checked against the cached password.
If a user knows the password for a valid account on a ProFTPD system using
mod_sqlpw, they may log into any other account in the database.
Link: http://www.net-security.org/text/bugs/976670682,70164,.shtml


NETADDRESS.COM/USA.NET EMAIL FILE THEFT
Any user of usa.net-powered email service can read any file on the server,
accessible to the web daemon and can flood other users with large
attachments without wasting bandwidth to upload them.
Link: http://www.net-security.org/text/bugs/976670765,85995,.shtml


WIN32 COMMAND-LINE MAILERS HOLES
The majority of the command-line SMTP mailers available for Win32-based
systems are vulnerable when used to send mail from a web server. The
vulnerabilities found include the ability to: - Read and/or write to the server's
file system; - Retrieve files from the server's file system as mail attachments;
- Bounce and/or spoof e-mail messages; - Spam, flood, mail bomb, or otherwise
use a server's resources without authorization; - Bounce off a server to perform
port scans; - Bounce off a server to perform brute-force attacks to POP and/or
SMTP accounts; - Change default mailer options to route all e-mails through an
untrusted mail server; - Discover information about the server and/or company,
including physical paths, e-mail addresses, and environment variables; - Perform
a number of DoS attacks on a server as well as using the server to perform DoS
attacks towards other systems; - View logs of e-mail messages and mailer
configuration files. The vulnerabilities found range from very minor to very
serious and immediate attention should be given if using a command-line
SMTP mailer.
Link: http://www.net-security.org/text/bugs/976670784,27568,.shtml


@STAKE WENT ON MICROSOFT'S WAY
"At least another author of security bulletins decided to go a similar route as
Microsoft did with their email security notices. Last week @Stake, the company
that acquired the L0pht, posted to the list a security notice that consisted of
a title, affected products, a link to their web advisory and little more. At the
time I refused to approve the message."
Link: http://www.net-security.org/text/bugs/976721617,13687,.shtml


WEAKNESS IN WINDOWS NT REVERSE-DNS LOOKUPS
After seeing a lot of NetBIOS node-status probes in my firewall logs, I
discovered that many NT servers apparently do a reverse DNS lookup
by sending a NetBIOS node-status query. It seems to me that it's much
easier to spoof an answer to a NetBIOS node-status request than to tamper
with the actual DNS system. The Web page says this is only used for WINS
lookups, but I see a lot of these probes coming from machines across the
Internet. Essentially, NT believes *the system it is querying* rather than
a DNS server. It is (presumably) easier to take control of a system you
own rather than a DNS server over which you do not have administrative
control.
Link: http://www.net-security.org/text/bugs/976757343,33772,.shtml


@STAKE ADVISORY NOTIFICATION FORMAT
"I think everyone out there knows that we are committed to full disclosure and
the concept of freely available security advisories. Many vendors do not issue
bulletins after we report problems to them, even after they subsequently fix
the problems. Without advisories from independant researchers there is no
check on product vendors. This is a service that we give to the security
community because we think it is the right thing to do with the fruits of
our research. With our new mailing list notification format we have not
changed this one bit."
Link: http://www.net-security.org/text/bugs/976818293,3710,.shtml


J-PILOT PERMISSIONS VULNERABILITY
J-Pilot automatically creates a ".jpilot" directory in the user's home directory to
store preferences and backed up PalmOS device data. The permissions for this
directory are mode 755, and files in the directory are mode 644; this allows
anyone with only minimal access to the user's home directory to also access
thier PalmOS device's backup data, including private records.
Link: http://www.net-security.org/text/bugs/976893706,92808,.shtml


AHG EZSHOPPER VULNERABILITY
NSFOCUS security team has found a security flaw in loadpage.cgi of EZshopper
of AHG. Exploitation of it can allow attacker to get file list of EZshopper
directories and sensitive file contents.
Link: http://www.net-security.org/text/bugs/976893788,14899,.shtml


MS WINDOWS NT 4.0 MSTASK.EXE CODE ERROR
MSTask.exe is an application that ships with the Windows NT 4.0 A strange
behavior was discovered in the MSTask.exe code. If exploited, this vulnerability
allows and attacker to slow down vulnerable Windows NT and sometimes to
freeze it.
Link: http://www.net-security.org/text/bugs/976893806,58815,.shtml

----------------------------------------------------------------------------




Security world
--------------

All press releases are located at:
http://net-security.org/text/press

----------------------------------------------------------------------------

NCIPHER SUPPORTS ENTRUST/PKI SOLUTION - [11.12.2000]

nCipher Inc., a leading developer of Internet security products for e-commerce
and Public Key Infrastructure (PKI) applications, announced that its hardware
security modules (HSMs) are now Entrust-Ready(TM). With this designation,
companies deploying the Entrust/PKI (TM) 5.1 software have the flexibility to
add an nCipher HSM to their PKI, including nCipher's FIPS 140-1 Level 3
validated nShield.

Press release:
< http://www.net-security.org/text/press/976546246,15196,.shtml >

----------------------------------------------------------------------------

SECURITY FOR VETERANS AFFAIRS SMART CARD PROGRAM - [11.12.2000]

International (3GI), a provider of market-leading authentication software and
services, announced today that the VA has selected its Passage Security
products for a major smart card rollout to be initiated next year. 3GI will
provide its Passage products to the VA under a reseller agreement with
MAXIMUS, which recently won the prime contract for the VA smart card
initiative. Initially, the smart cards will contain administrative, clinical and
benefits eligibility information and allow veterans to conduct digitally
signed transactions over the Internet.

Press release:
< http://www.net-security.org/text/press/976546318,52529,.shtml >

----------------------------------------------------------------------------

RAINBOW'S SSL ACCELERATION TECHNOLOGY - [11.12.2000]

Rainbow Technologies, Inc., a leading provider of high-performance security
solutions for the Internet and eCommerce, announced a new OEM agreement
with Sun Microsystems to provide a SSL accelerator solution for Sun's family
of eCommerce and enterprise Web applications.

Press release:
< http://www.net-security.org/text/press/976561625,36490,.shtml >

----------------------------------------------------------------------------

MERILUS SIGNS AGREEMENT WITH RSA SECURITY - [12.12.2000]

Merilus Technologies has signed a licensing agreement with RSA Security Inc.
to incorporate RSA technology into the Gateway Guardian line of software and
the recently announced FireCard PCI firewall. FireCard is the first use of the
Transmeta Crusoe Microprocessor in an embedded application. FireCard's
innovative design transforms any PC into a secure Internet computer capable
of withstanding digital security threats. Gateway Guardian is a line of software
products, which turns any computer into a secure Internet Gateway designed
to protect computer networks from hackers or intruders.

Press release:
< http://www.net-security.org/text/press/976626818,90606,.shtml >

----------------------------------------------------------------------------

ENHANCED GLOBAL IP-BASED VPN SOLUTIONS - [12.12.2000]

Cable & Wireless, the global telecommunications group, announced it has
further enhanced the functionality and global availability of its IP-VPN solution
portfolio. The IP-VPN solutions can now be scaled to meet the needs of all
companies, from small and medium-sized businesses to multi-national
corporations.

Press release:
< http://www.net-security.org/text/press/976626972,47946,.shtml >

----------------------------------------------------------------------------

ZKS UNVEILS FREE AND EASY TO USE FREEDOM 2.0 - [13.12.2000]

Zero-Knowledge Systems Inc., the leading developer of privacy solutions for
consumers and business, today unveiled the next generation version of its
award-winning Freedom Internet Privacy Suite. Freedom 2.0 now offers five
standard privacy and security features as a free download in addition to
enhanced paid premium services of untraceable private email and anonymous
private browsing and chat.

Press release:
< http://www.net-security.org/text/press/976671153,51669,.shtml >

----------------------------------------------------------------------------

MOBILE CERTIFICATION SERVICES - [15.12.2000]

Entrust Technologies Limited, a subsidiary of Entrust Technologies Inc.,
Hongkong Post and Infomaster Holdings, at a press conference in Hong Kong,
announced that they have signed a Memorandum of Understanding for the
provision of mobile certification services to the people of Hong Kong.

Press release:
< http://www.net-security.org/text/press/976894409,45719,.shtml >

----------------------------------------------------------------------------




Featured books
----------------

The HNS bookstore is located at:
http://net-security.org/various/bookstore

Suggestions for books to be included into our bookstore
can be sent to staff@net-security.org

----------------------------------------------------------------------------

IP QUALITY OF SERVICE (CISCO NETWORKING FUNDAMENTALS)

Network planners, designers, and engineers need to have an understanding
of QoS concepts and features to enable your networks, to run at maximum
efficiency and to deliver the new generation of time-critical multimedia and
voice applications. IP Quality of Service serves as an essential resource and
design guide for anyone planning to deploy QoS services. The author provides
full coverage of the technical concepts of QoS functions and mechanisms, the
need for QoS, network design considerations, and the Internet QoS Architecture.
He then explores all the QoS features available in Cisco IOS, supplying you with
application examples designed to highlight configurations required to deploy each
feature. The emphasis is on real-world application - going beyond conceptual
explanations to teach you about actual deployment. Each chapter concludes
with a question-and-answer section to help reinforce understanding of the
concepts and applications of the technology.

Book:
< http://www.amazon.com/exec/obidos/ASIN/1578701163/netsecurity >

----------------------------------------------------------------------------

PKI: A WILEY TECH BRIEF

With major efforts underway to standardize a successful public key infrastructure
(PKI) system, there is a growing need among network and security managers for
authoritative information on PKI technology. This book offers a plain-language
tutorial for people with limited technical background but with acute business
need to understand how PKI works. Written by a widely recognized expert in
the field, Public Key Infrastructure Essentials explains how a successful PKI
system can provide both security and privacy for Web-based applications
through assigning encrypted keys to individuals or documents. Readers will
find extensive business case studies and learn how to qualify vendors, write
a Certification Practice Statement (CPS), build directories, and implement
mechanisms for issuing, accepting, and revoking digital certificates.

Book:
< http://www.amazon.com/exec/obidos/ASIN/0471353809/netsecurity >

----------------------------------------------------------------------------

SECURE ELECTRONIC COMMERCE: BUILDING THE INFRASTRUCTURE FOR
DIGITAL SIGNATURES AND ENCRYPTION

This book describes the technologies used to make electronic commerce secure,
together with their business and legal implications. The book begins with an
introduction to the underlying technologies and inherent risks of electronic
commerce. It considers the role of computer networks, the Internet, EDI and
electronic mail, as well as the problem of ensuring that electronic transactions
are resistant to fraud, may be traced, and are legally binding in all jurisdictions.

Book:
< http://www.amazon.com/exec/obidos/ASIN/0130272760/netsecurity >

----------------------------------------------------------------------------

MICROSOFT WINDOWS 2000 SERVER RESOURCE KIT

The kit consists of seven books and a well-organized CD-ROM. Each of the
books contains comprehensive information about the respective area that it
covers, be it TCP/IP or distributed systems. The kit not only includes essential
information but also contains detail and background information for its many
subjects in great depth. For example, the book that covers Internet Information
Server includes instructions on developing client/server and multitier applications.
The Windows 2000 TCP/IP Core Networking Guide also has an introduction to the
core tenets of TCP/IP. Systems administration manuals have come a long way in
terms of usability and presentation, but they are still not the easiest to use.
Many books (including some from Microsoft) of lesser scope provide information
in a format that's easier to follow, and that includes screen shots and step-by-
step instructions. The volumes in this kit do not provide as many images,
illustrations, or diagrams as other volumes, but the level of technical detail
is unbeatable.

Book:
< http://www.amazon.com/exec/obidos/ASIN/1572318058/netsecurity >

----------------------------------------------------------------------------

RETHINKING PUBLIC KEY INFRASTRUCTURES AND DIGITAL CERTIFICATES: BUILDING IN PRIVACY

In this book Stefan Brands proposes cryptographic building blocks for the design
of digital certificates that preserve privacy without sacrificing security. Such
certificates function in much the same way as cinema tickets or subway tokens:
anyone can establish their validity and the data they specify, but no more than
that. Furthermore, different actions by the same person cannot be linked.
Certificate holders have control over what information is disclosed, and to
whom. Subsets of the proposed cryptographic building blocks can be used
in combination, allowing a cookbook approach to the design of public key
infrastructures. Potential applications include electronic cash, electronic
postage, digital rights management, pseudonyms for online chat rooms,
electronic voting, and even electronic gambling.

Book:
< http://www.amazon.com/exec/obidos/ASIN/0262024918/netsecurity >

----------------------------------------------------------------------------




Security Software
-------------------

All programs are located at:
http://net-security.org/various/software

----------------------------------------------------------------------------

SECURITY 1.1

Security was developed to store and call passwords as simply as possible. The
program offers grouping of data by a tree structure. To maintain your passwords
with the greatest possible protection from forbidden access, a newly developed
method of the data encoding was integrated into the security features - it
encodes the data at every storage process with another key. There is also
an import and export filter (TXT, CSV, HTML, and XML), and there is no
installation necessary.

Info/Download:
< http://net-security.org/various/software/976899499,1549,.shtml >

----------------------------------------------------------------------------

E-LOCK READER 4.0

E-Lock Reader is a free digital signature verification plug-in that allows users
to verify files or documents that have been digitally signed, establishing the
authenticity of the source of the information. It also allows users to perform
on-line validation of the digital certificate with which the document was signed.
It integrates with Microsoft Word, Excel, and Adobe Acrobat, and allows users
to verify signed documents from within these applications. It also integrates
with the Windows Explorer and lets users verify files of any format by simply
right-clicking the signed files.

Info/Download:
< http://net-security.org/various/software/976899744,77951,.shtml >

----------------------------------------------------------------------------

MOUSE LOCK 1.61

Mouse Lock is designed to prevent unauthorized use of your computer. The
program traps your mouse pointer inside a small button. You or your computer
can trap or free the mouse at specified times. Mouse Lock will also disable
special key combinations, such as Alt-Tab, Ctrl-Esc, Ctrl-Alt-Delete, and
others, and protects against restarting and resetting your computer.
Features include a status bar and timer, and the ability for Mouse Lock
to turn off the monitor. This update features an added monitor control.

Info/Download:
< http://net-security.org/various/software/976899831,80642,.shtml >

----------------------------------------------------------------------------

PASSWORDS BY MASK 1.40

Passwords by Mask is an application designed to generate passwords containing
any character content. Passwords by Mask allows users to choose their
password symbols. You can fix random or specified alphabetic, random, or
specified numeric; random or specified alphanumeric; random or specified
special; or random or specified for all the keyboard characters. This feature
allows you to generate a random user ID and password at the same time.
Passwords by Mask can use the Windows Clipboard to transfer passwords
between programs.

Info/Download:
< http://net-security.org/various/software/976899929,29559,.shtml >

----------------------------------------------------------------------------

CIPHERPACK 1.00

CipherPack compresses and enciphers files using an industrial strength
cryptographic technique and then 'packs' them with the decompression
and deciphering code. The result is a single executable file which can be
safely distributed by any means (including the Internet). No other
cryptographic software is required by the end user and only someone
who knows the correct key can recreate the original file. Can be used
stand-alone or as anti-piracy software.

Info/Download:
< http://net-security.org/various/software/976900168,28735,.shtml >

----------------------------------------------------------------------------




Defaced archives
------------------------

[12.12.2000] - ASE Group/Advanced System Ingineering
Original: http://www.ase.ru/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/12/www.ase.ru/

[12.12.2000] - Naval Surface Warfare Center (NSWC)
Original: http://www.nswcphdn.navy.mil/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/13/www.nswcphdn.navy.mil/

[13.12.2000] - Internet Corporation for Assigned Names and Numbers (ICANN)
Original: http://www.icann.org/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/13/www.icann.org/

[14.12.2000] - Microsoft Slovenia
Original: http://www.microsoft.si/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/14/www.microsoft.si/

[14.12.2000] - Kaspersky AntiVirus, Brazil
Original: http://www.kasperskylab.com.br/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/14/www.kasperskylab.com.br/

[14.12.2000] - AVP 2000 Brazil
Original: http://www.avp2000.com.br/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/14/www.avp2000.com.br/

[15.12.2000] - M M Electronic Business Solutions Ltd.
Original: http://vidar.mmebs.co.uk/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/15/vidar.mmebs.co.uk/

[15.12.2000] - eEye Digital Security
Original: http://www.eeye.com/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/15/www.eeye.com/

[15.12.2000] - Hewlett-Packard Hong Kong
Original: http://www.hp.com.hk/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/15/www.hp.com.hk/

[15.12.2000] - Indian National Informatics Centre
Original: http://cal.wb.nic.in/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/15/cal.wb.nic.in/

[15.12.2000] - Aesesorbaires Gov (AR)
Original: http://www.asesorbaires.gov.ar/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/15/www.asesorbaires.gov.ar/

[16.12.2000] - State of Washington
Original: http://www.dol.wa.gov/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/16/www.dol.wa.gov/

[16.12.2000] - Apmanta Gov (EC)
Original: http://www.apmanta.gov.ec/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/16/www.apmanta.gov.ec/

[16.12.2000] - Horizon Capital Bank
Original: http://www.horizoncapitalbank.com/
Defaced: http://www.attrition.org/mirror/attrition/2000/12/16/www.horizoncapitalbank.com/

----------------------------------------------------------------------------


Questions, contributions, comments or ideas go to:

Help Net Security staff

staff@net-security.org
http://net-security.org

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT